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The Leftover Hash Lemma states that the output of a two-universal hash function applied to an 
input with sufficiently high entropy is almost uniformly random. In its standard formulation, the 
lemma refers to a notion of randomness that is (usually implicitly) defined with respect to classical 
side information. Ifere, we prove a (strictly) more general version of the Leftover Ifash Lemma that 
is valid even if side information is represented by the state of a quantum system. Furthermore, 
our result applies to arbitrary (5-almost two-universal families of hash functions. The generalized 
Leftover Hash Lemma has applications in cryptography, e.g., for key agreement in the presence of 
an adversary who is not restricted to classical information processing. 



I. INTRODUCTION 

We will first consider the task of extracting uniform 
randomness from a random variable and introduce the 
Leftover Hash Lemma. Following its discussion, we ex- 
tend the scenario to include side information that is po- 
tentially stored in a quantum state. 



A. Randomness Extraction 

Consider a random variable X that is partially known 
to an agent, i.e., the agent possesses side information E 
correlated to X. One may ask whether it is possible to 
extract from X a part Z that is completely unknown to 
the agent, i.e., uniform conditioned on E. If yes, what is 
the maximum size of Zl And how is Z computed? 

The Leftover Hash Lemma answers these questions. It 
states that extraction of uniform randomness Z is pos- 
sible whenever the agent's uncertainty about X is suffi- 
ciently large. More precisely, the number t of extractable 
bits is approximately equal to the min- entropy of X con- 
ditioned on E, denoted Hynin{X\E) (see Section ITbI for a 
definition and properties). Furthermore, Z can be com- 
puted as the output of a function / selected at random 
from a suitably chosen family of functions called two- 
universal family of hash functions (see Section II CI for 
a definition). Remarkably, the family can be chosen 
without knowing the actual probability distribution of 
X and only depends on the alphabet X oi X and the 
number of bits £ to be extracted. 

Lemma 1 (Classical Leftover Hash Lemma). Let X and 

E be random variables and let T be a two-universal fam- 
ily of hash functions with domain X and range {0, 1}^. 



Then, on average over the choices of f from J- , the distri- 
bution of the output Z :— /(A") is A-close from uniform 
conditioned on E^ , where 



The lemma immediately implies that for a fixed joint 
distribution of X and E, there is a fixed function / that 
extracts almost uniform randomness. More precisely, 
given any A > 0, there exists a function / that produces 



H^in{X\E) ~ 2 log 



2A 



(1) 



bits that are A-close to uniform and independent of E.^ 

The Leftover Hash Lemma plays an important role in a 
variety of applications in computer science and cryptog- 
raphy (see, e.g., [l[ for an overview). A prominent exam- 
ple is privacy amplification, i.e., the task of transforming 
a weakly secret key (over which an adversary may have 
partial knowledge E), into a highly secret key (that is 
uniform and independent of the adversary's information 
E). It was in this context that the use of two-universal 
hashing for randomness distillation has first been pro- 
posed y ■ Originally, the analysis was however restricted 
to situations where X is uniform and E is bounded in 
size. Later, versions of the Leftover Hash Lemma simi- 
lar to Lemma [T] above have been proved independently 
in and The term leftover hashing was coined in [5], 
where its use for recycling the randomness in randomized 
algorithms and for the construction of pseudo-random 
number generators is discussed (see also 0, Q)- 
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^ The distance from uniform A measures the statistical distance 
of the probability distribution of X given E to a uniform distri- 
bution. See Section lull for a formal definition. 

^ We use log to denote the binary logarithm. 
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B. Quantum Side Information 

A majority of the original work on universal hashing is 
based entirely on probability theory and side information 
is therefore (often implicitly) assumed to be represented 
by a classical system E (modeled as a random variable).'^ 
In fact, since hashing is an entirely "classical" process (a 
simple mapping from a random variable X to another 
random variable Z), one may expect that the physical 
nature of the side information is irrelevant and that a 
purely classical treatment is sufficient. This is, however, 
not necessarily the case. It has been shown, for instance, 
that the output of certain extractor functions may be 
partially known if side information about their input is 
stored in a quantum device of a certain size, while the 
same output is almost uniform conditioned on any side 
information stored in a classical system of the same size 
(see [3 for a concrete example and Q for a more general 
discussion).'* 

Here, we follow a line of research started in [9l-[ll| and 
study randomness extraction in the presence of quantum 
side information E (which, of course, includes situations 
where E is partially or fully classical.) More specifically, 
our goal is to establish a generalized version of Lemma [T] 
which holds if the system E is quantum-mechanical. For 
this, we first need to quickly review the notion of min- 
entropy as well as of the notion of uniformity, which need 
to be extended accordingly. 

The definition of uniformity in the context of quantum 
side information E is rather straightforward. Let Z be 
a classical random variable which takes any value z e Z 
with probability pz and let E he a, quantum system whose 
state conditioned on Z = z is given by a density operator 
Pe oh He- This situation is compactly described by the 
classical- quantum (CQ) state 

PzB := 5Ip-I^X^I-^/'^'' ' (2) 

defined on the product space Tiz 'He, where V.^ is a 
Hilbert space with orthonormal basis {\z)z}z&z- We say 
that Z is uniform conditioned on E if p^E has product 
form a;z(g)pE7 where := lz/|2^| is the maximally mixed 
state on T-Lz- More generally, we say that Z is A- close to 
uniform conditioned on E if there exists a state CTe on E 
for which the trace distance between p^E and ujz ® <^e is 



^ If the side information E is classical, the Leftover Hash Lemma 
can be formulated without the need to introduce E explicitly 
(see, e.g., Q). Instead, one may simply interpret all probability 
distributions as being conditioned on a fixed value of the side 
information. 

^ Note that there is no sensible notion of a conditional probability 
distribution where the conditioning is on the state of a quantum 
(as opposed to a classical) system. An implicit treatment of side 
information E, where one considers all probability distributions 
to be conditioned on a specific value of i?, as explained in the 
previous footnote, is therefore not possible in the general case. 



at most A (see Section Hill for a formal definition). The 
trace distance is a natural choice of metric because it cor- 
responds to the distinguishing advantage.^ Furthermore, 
in the purely classical case, the trace distance reduces to 
the statistical distance. 

Next, we generalize the notion of min-entropy to situ- 
ations involving quantum side information. Before we do 
this, note that the classical min-entropy H^^^^(K\Fi) has 
an operational interpretation as the guessing probability 
of X given E, namely 

ff,„i„(X|E) =-logPg,css(X|E). (3) 

Here, pgucss(^|^') denotes the probability of correctly 
guessing the value of X using the optimal strategy with 
access to E. The optimal strategy in the classical case is 
to guess, for each value of e of the X with the highest 
conditional probability Px\E=e- The guessing probabil- 
ity is thus 

i^gucss (X|E) = ^PE(e) inajiPx\E=e{x) . 

e 

A generalization of the min-entropy to situations where E 
may be a quantum system has first been proposed in 11 Oil 
(see Section [H] for a formal definition). As shown in Il3|, 
the operational interpretation ([3]) naturally extends to 
this more general case. In other words, the min-cntropy, 
H^^^{X\E) , is a measure for the probability of guessing 
X using an optimal strategy with access to the quantum 
system E. 

However, the actual requirement on the entropy mea- 
sure used in Lemma [T] is that it accurately characterizes 
the total amount of randomness contained in X , i.e. the 
number of uniformly random bits that can be extracted 
using an optimal extraction strategy. As we will show 
below, _ffjjjjjj(X|E) (or, more precisely, a smooth version 
of it) meets this requirement. 

For this purpose, let be fixed and assume that 
/ is a function that maps AT to a string Z = f{X) G 
{0, 1}^ of length £ that is uniform conditioned on the 
side information E. Then, obviously, the probability of 
guessing Z correctly given E is equal to and, by 
virtue of ([3]), we find that 

H^,^{Z\E)=£. (4) 

Furthermore, the probability of guessing Z = f{X) cor- 
rectly cannot be smaller than the probability of guessing 
X, correctly. This fact can again be expressed in terms 
of min-entropies, 

i7,„i„(Z|E) < i/,„i„(X|E) , (5) 



^ Let psucc be the maximum probability that a distinguisher, pre- 
sented with a random choice of either the state p or the state 
(7, can correctly guess which of the two he has seen. The distin- 
guishing advantage is then defined as the advantage compared 
to a random guess, which is given by psucc — ^ = j ||p — (see 
e.g. H) 
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i.e., the min-entropy can only decrease under the action 
of a function. Combining and ([5]) immediately yields 

I < i?,„i„(X|E) . (6) 

We conclude that the number £ of uniform bits (rela- 
tive to E) that can be extracted from data X is upper 
bounded by the min-entropy of X conditioned on E. This 
result may be seen as a converse of ([Ij. 

So far, the claim ([6|) is restricted to the extraction 
of perfectly uniform randomness. In order to extend 
this concept to the more general case of approximately 
uniform randomness, we need to introduce the notion 
of smooth min-entropy. Roughly speaking, for any 
e > 0, the e-smooth min-entropy of X given E, de- 
noted iJ^i„(X|E), is defined as the maximum value of 
i?j^i^(X|E) evaluated for all density operators p that are 
£-close to p (see Section |TT] for a formal definition). 

The above argument leading to ([6]) can be generalized 
in a straightforward manner to smooth min-entropy, and 
results in the bound 

^ < i?„^^(X|E) 

for the maximum number £ of extractable bits that are 
A-close to uniform conditioned on E. Crucially, our ex- 
tended version of the Leftover Hash Lemma implies that 
this bound can be reached, up to additive terms of or- 
der log(l/A) (see Theorem [6] and Theorem [7|). We thus 
conclude that the min-entropy of X conditioned on i5, 
in particular its "smoothed" version, is an accurate mea- 
sure for the amount of uniform randomness (conditioned 
on E) that can be extracted from X. 



D. Main result 

Our main result is a generalization of the Leftover 
Hash Lemma for (5-almost two-universal families of hash 
functions which is valid in the presence of quantum side 
information. While the statement is new for general 
(5-almost two-universal hash functions, the special case 
where 5 = has been proved previously by one of 
us [13. 

Lemma 2 (General Leftover Hash Lemma). Let X be 

a random variable, let E be a quantum system, and let 
J- be a S-almost two-universal family of hash functions 
from X to {0, 1}^. Then, on average over the choices of 
f from JF , the output Z := f{X) is A-close to uniform 
conditioned on E, where 

A = inf -J(2^S - 1) + 2''-^.™n(X|E)+log(2/e^ + l) ^ ^ 

Furthermore, if 5 < 2^^ , i.e., if F is two-universal, then 



A = iV2^-^mi„(x|E) (8) 

Note that inserting 6 = 2^^ into the first expression for 
A yields a formula which is less tight than ([8]) . The latter, 
therefore, requires a separate proof. In the technical part 
below, the two claims are formulated more generally for 
the smooth min-entropy (Theorem [S] and Theorem [7]) . 

E. Applications and Related Work 



C. Almost Two-Universal Hashing 

The notion of two-universal hashing has been intro- 
duced by Carter and Wegman [31 ■ A family F of func- 
tions from X to Z \s said to be two-universal if, for any 
pair of distinct inputs x and x' , and for / chosen at ran- 
dom from F, the probability of a collision f{x) — f{x') 
is not larger than S := 1/\Z\. Note that this value for 
the collision probability corresponds to the one obtained 
by choosing F as the family of all functions with domain 
X and range Z. 

Later, the concept of two-universal hashing has been 
generalized to arbitrary collision probabilities S [l5| . 
Namely, a family of functions F from A" to Z is called 
5-almost two-universal if 

Vj [f{x) = f{x')]<5 (7) 

for any x ^ x' . A two-universal family as above simply 
corresponds to the special case 5 = ^/\Z\. 

The classical Leftover Hash Lemma (Lemma [T|) can be 
generalized to J-almost two- universal hash functions [l|. 
More precisely, when extracting an t-hii string from 
data X, its distance from uniform conditioned on E is 
bounded by A = \^ {2^5 - 1) + 2^-h..Ux\e) ^ 



Quantum versions of the Leftover Hash Lemma [10| 
for two-universal families of hash functions have been 
used in the context of privacy amplification against a 
quantum adversary [ll| . This application has gained 
prominence with the rise of quantum cryptography and 
quantum key distribution in particular. There, the side 
information E is gathered during a key agreement process 
between two parties by an eavesdropper who is not nec- 
essarily limited to classical information processing. The 
quantum generalization of the Leftover Hash Lemma is 
then used to bound the amount of secret key that can be 
distilled by the two parties. 

The restriction to two-universal families of hash func- 
tions leads to the need for a random seed of length Q{n), 
where n is the length in bits of the original partially secret 
string. This seed is used to choose / from a two-universal 
family F . The main result of this paper, Lemma[21 and a 
suitable construction of a (5-almost two-universal family 
of hash functions (sec Section ITV)) allow for a shorter seed 
of length proportional to £, log j and log ^- The length 
of secret key that can be extracted with this method is 
only reduced by a term proportional to log ^ compared 
to the extractor using two-universal hashing. Further- 
more, the generalized Leftover Hashing Lemma allows 
for an extension of existing cryptographic security proofs 
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to J-almost two-universal families of hash functions and 
may lead to a speed-up in practical implementations.^ 

Recently, the problem of randomness extraction with 
quantum side information has generated renewed inter 



est. It has been shown that the classical technique [18 1 
of XORing a classical source about which an adversary 
holds quantum information with a ^-biased mask results 
in a uniformly distributed string [l9|^. 

However, to achieve even shorter seed lengths, more 
advanced techniques such as Trevisan's [2l| extractor 
have been studied in |23 - |23 |. In (2^, it is shown that 
a seed of length O (poly log n) is sufficient to generate a 
key of length I « H^^J^%) — log dim where dim "He is 
a measure of the size of the adversary's quantum mem- 
ory. In [i^l, the result was extended to the formalism 
of conditional min-entropies. They attain a key length 
oi I _ff^jj^(X|E), which can be arbitrarily larger than 
i7„^ijj(X) — log dim He. Furthermore, as we show in ([5]), 
this key length is almost optimal. Our result may be use- 
ful to further improve the performance of these extractors 
(see discussion in [2^). 

Furthermore, our result should be used instead of the 
classical Leftover Hashing Lemma whenever randomness 
is extracted in a context governed by the laws of quantum 
physics. For example, consider a device that needs a seed 
that is random conditioned on its internal state. In this 
case the use of the classical Leftover Hashing Lemma 
instead of its quantum version. Lemma [2l corresponds to 
the implicit and potentially unjustified assumption that 
the device does not make use of quantum mechanics. 



F. Organization of the paper 

In Section nil we discuss various aspects of the smooth 
entropy framework, which will be needed for our proof. 
We then give the proof of our generalized Leftover Hash 
Lemma (Lemma[2]) in Section lHll More precisely, we pro- 
vide statements of the Leftover Hashing Lemma for two- 
universal and (5- almost two-universal hashing in terms 
of the smooth min-entropy (Theorems [9] and llOp . Fi- 
nally, in Section [IV[ we combine known constructions of 
(5-almost two-universal hash functions and discuss their 
use for randomness extraction with shorter random seeds. 
Appendix[B]may be of independent interest because it es- 
tablishes a relation between the smooth min- and max- 
entropies (as defined above and used in [13, HI, HI]) and 
certain related entropic quantities used in earlier work 
(e.g., in M) 



® See, e.g. [l6l | and [T3|, where a practical implementation of pri- 
vacy amplification is discussed in Section V. 

See also [20| | for a generalization of this work to the fully quantum 
setting. 



II. SMOOTH ENTROPIES 

Let H be a finite-dimensional Hilbert space. We use 
C{H), £^{H) and V{H) to denote the set of linear, Her- 
mitian and positive semi-definite operators on H, respec- 
tively. We define the set of normalized quantum states 
by S={n) := {p e Vin) : tr p = 1} and the set of sub- 
normalized states by 5<(H) := {p G 7'(H) : < trp < 
1}. Given a pure state |0) £ "H, we use </> — \<j)){4>\ to de- 
note the corresponding projector in ViH). The inverse 
of a Hermitian operator is meant to be taken on its sup- 
port only (generalized inverse) . Given a bipartite Hilbert 
space Hab '■= Ha (8) Hb and a state Pab G S<{Hab), 
we denote by Pa and Pb its marginals Pa = tre Pab and 
Pb = tr^ Pab- 

The trace distance between states p and r is given by 



h\\p-rU 



jtr |p — t|. We also employ the purified 



distance P as a metric on S<{'H) [26]. It is an upper 
bound on the trace distance and defined in terms of the 
generalized fidelity F as 



P(/9, r) W 1 — F(/9, r)2 , where 



F(p,r) :=tr|V^V7| + V(l-trp)(l-trr). 

We will need that the purified distance is a mono- 
tone under trace non-increasing completely positive maps 
(CPMs). Let f be a trace non-increasing CPM, then [2y| 



P{p,T)>P{£ip),£{T)) . 



(9) 



Note that the projections p HpH for any projector H 
is a trace non-increasing CPM. We define the e-ball of 
states close to p e 5< (H) as 

B^p) ■.= {peS<{n):Pip,p)<e}. 

We will now define the smooth min-entropy 10]. 

Definition 1. Let e > and Pab G S<{Hab)- The min- 
entropy of A conditioned on B is given by 

i7,„i„(A|B)p := max sup {XeR: Pab< 2"^1a ® Ob} ■ 

o"Be5=('HB) 

Furthermore, the smooth min-entropy of A conditioned 
on B is defined as 

^fmin(A|B)p ^ niax F,„i„(A|B)p. 

PABeD^(PAB) 

The conditional min-entropy is a measure of the uncer- 
tainty about the state of a system A given quantum side 
information B. In particular, if the system A describes a 
classical random variable (i.e. if the state is CQ), the min- 
entropy can be interpreted as a guessing probability.^ For 



See discussion in Section Uand ig for details. 
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general quantum states, the smooth min-entropy satis- 
fies data-processing inequahties. For example, if a CPM 
is apphed to the B system or if a measurement is con- 
ducted on the A system, the smooth min-entropy of A 
given B is guaranteed not to decrease.^ 

FinaUy, we will need a fully quantum generalization of 
the collision entropy (Renyi-entropy of order 2). 

Definition 2. Let Pab € S<{'Hab) and CTb G VCHb), 
then the collision entropy of A conditioned on B oi a 
state Pab given is — logrc(jOAB|o'B), where 

TcCPABkB) := tr (/9ab(1a (Jb^^^))'^ ■ 

We will use the fact that the collision entropy provides 
an upper bound on the min-entropy. The proof of the 
following statement can be found in Appendix [C] and 
constitutes one of the main technical contributions of this 
work. 

Lemma 3. Let pxB G S<{Hxb) be a CQ-state and e > 0. 
Then, there exists a state Ob G 5=(Hb) such that 

rc(PxBkB) < 2-^™(^iB)p . (10) 

Moreover, there exists a normalized CQ-state pxB G 
B^iPxs) such that 

rc(p-xBlp-B) < 2-^"""(^ii^)^+'°s(^+i) . (n) 

III. PROOF OF THE LEFTOVER HASH 
LEMMA 

In this section we give bounds on the distance from 
uniform of the quantum state after privacy amplification 
with two-universal and (5-almost two-universal hashing 
(Theorems [6] and [7]) ■ The proof of Lemma[2]then follows. 

First, we extend the definition of the distance from 
uniform to sub- normalized states for technical reasons. 

Definition 3. Let Pab G S<{T-Lae), then we define the 
distance from uniform of A conditioned on B as 

A(A|S)p := min ^Ipab - Wa «) ctbIi , (12) 

""B Z 

where Ua '■— 1a/ dim "Ha and the minimum is taken over 
all CTb e V{'Hb) satisfying trcTe = trpe- 

As a first step, we bound the distance from uniform in 
terms of the collision entropy. 

Lemma 4. Let Pab G S<{'Hab) and Tb G S<{'Hb) with 
supp{tb} ^ suppIpb}, then 

A(A|S)p < ^y^dArc(/CAB|TB) - tr(/9BTB'''pBTB'^^) ■ 



See for precise statements and proofs. 

Note that sub-normalized states have to be considered due to 
our definition of the smoothing of the min-entropy. 



Proof. We apply the Holder inequality (Lemma [18] in Ap- 
pendix with parameters r — t = 4:, s — 2, A = C = 

Ia^Tb^" andB = (lA(g>Tu^^*)ipAB-UJA^ PB)itA(S)TB^^'')- 

This leads to 
2A{A\B)p < Ipab -Wa(^Pb||i 

= \\ABCl < \\aXA\bX^^cX/' 

< ^jdAtT{{pAB - Wa 8) Pb)(1a T-B '^'))^ . 

We simplify the expression on the r.h.s. further using 

tr((pAB - t^A Pb)(1a «) T]^'^'))^ 

^ tr(pAB(lA <E) T^'^')y + tr((wA «) Pb)(1a «) T^'^')f 
- 2tr(pAB(lA <E) t^'^''){oJa <E) Pb)(1a <E) t^'^')) 

= rc(pAB|TB) - -^tr(pBTB^^^'pBTB^^^) , 

Oa 

which concludes the proof. □ 
The above bound can be simplified by setting Tb — Pb'- 



A(A|B)p < -v/rfArc(pAB|pB) - trpB • (13) 

We now consider a scenario where X is picked from 
a set X and _E is a quantum system whose state may 
depend on X. The situation is described by a CQ-state 
of the form 

X 

where the probability of x occurring is the trace of the 
sub-normalized state pjf ' and — p[f ' . After apply- 
ing a function / : X — > {0,1}^^ chosen at random from 
a family of hash functions the resulting CQ-state is 
given by 

where z G {0, l}^'^, pf = 1/| J"| and 

x,f(x)=z 

Formally, randomness extraction can be modelled as a 
trace-preserving CPM, A, from "Hpx — > "Hfz that maps 

Pf <S) Pxe H> {A(E)Ie){Pf ® Pxe) — Pfze- 

The foUowoing lemma yields a bound on the collision 
entropy of the output of the hash function in terms of 
the collision entropy of the input. 

Lemma 5. Let J- be 6-almost two-universal, let pxE and 
Pfze be defined as in and p^ . respectively, and let 
Te e S={He)- Then, 

rc(PFZE|pF <8) Te) < rc(pxE|TE) -\- 6 tl (PeTe^^^ PeTe^^^ ) ■ 
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Proof. The collision entropy on the l.h.s. can be rewritten 
as an expectation value over F, that is 



rc(PFZE|PF <8) Te) 

= tr^pFZEb/lpz 



1/2 



E 



[F,z] -1/2 [F,z] -1/2 



^F{x') = 



, / [x] -1/2 [a;'] -1/2X 
tr(pE Te Pe Te ) 



We have used ((T6)) to substitute for pjf in the last step. 
The expectation value can be evaluated using the defining 
property ([Tj) of (5-almost two-universal families. We get 



E \^5f(x 



^F[x') = 



< 5 



\i X ^ x' and 1 otherwise. We use this relation and the 
fact that the trace terms are positive to bound 



rc(PFZE|PF ® Te) 



k] -1/2 \x\ -V2x , rV^; I , , 

eVe' Pe Te' ) + (5 2_^tr(pE'T, 

x^x' 



\x\ -1/2 [x'] -V2n 

E Te Pe Te ) ■ 



We now complete the second sum with the terms where 
a; = a;' to get the statement of the lemma. □ 

If we set Te = Pe, the result can be simplified further: 

rc(/3FZE|PF fX" Pe) < rc(pxE|PE) + ^ tr ^e • (17) 

We are now ready to give a bound on the distance 
from uniform A(Z\FE) after privacy amplification with 
two-universal and (5-almost two- universal families of hash 
functions. Note that we consider the distance from uni- 
form conditioned on F as well as E. This describes the 
situation where the chosen hash function (the value /) is 
published after its use (strong extractor regime). 

The distance from uniform conditioned on E averaged 
over the choice of / is given by 



J2pfMZ\E)pin , where pL{| 
/ 



E 



\z){z\^(g) pH'' 



and it can be bounded in terms of A{Z\FE) as 



/ 



f 



A{Z\EF) 



p ' 



(18) 



where CTe optimizes ([T^ for A{Z\EF)p. Hence, an up- 
per bound on A{Z\FE) implies an upper bound on the 
average distance to uniform conditioned on E as well. 

For two-universal hashing, we get the following bound 
(see also [3). 



Theorem 6. Let T he two-universal and let pxE md 

PzEF be defined as in (|14p and (jlSp . respectively. Then, 
for any e > 0, 

A{Z\FE)p < e + iv/2^-^m„,(x|E)p. 

Proof. We use LemmaUto bound A{Z\FE)p. In partic- 
ular, we set Tee := Pf (Xi Te to get 



2A{Z\FE)p < V2^rc(pzFE|TFE) -tr(pETE'/VETE'/') 



< ^2^rc(pxE|TE), 

where we have used Lemma[5]and that is two- universal 
{6 < 2~^) in the last step. The r.h.s. can be expressed in 
terms of a min-entropy using (jlOp . With an appropriate 
choice of Te , we have 



2A{Z\FE)p < v/2^-^»-(^|E)p 



(19) 



We have now shown the statement of the theorem for the 
case e = 0. 

Finally, the bound can be expressed in terms of a 
smooth min-entropy. Let pxE S B'^ipy^n) be the CQ- 
state (cf. Lemma I19p that optimizes the smooth min- 
entropy Hl,^{y.\E)p = i7,„iJX|E)p. We define Peze := 
{A (X'2!e)(Pf ® Pxe) and note that privacy amplification 
can only decrease the purified distance ([9]), i.e. 

2 IIPfze - PfzeIi < ^'(Pfze, Pfze) < P{Pke,Pxe) <£■ 

Moreover, let tXpE be the state that minimizes the dis- 
tance from uniform du{Z\FE)p. Then, 

2A{Z\FE)p < Ippze - c^z CTfeIi 

< IPfze - PfzeIIi + IIPfze - t^z <8) CTfeIi 

< 2e + 2A{Z\FE)p. 

We now apply for ppzE (instead of Pfze) to get 

A{Z\FE)p <e+ ^V2^^H~jmh 
= e + lv/2^-^m.n(x|E)p^ 



which concludes the proof. 



□ 



Next, we consider the case of (5-almost two- universal 
hashing. 

Theorem 7. Let J- be 6 -almost two-universal and let 
PxE and pzEF be defined as in (fT4|) and (fT5|) . respectively. 
Then, for any e > and e > 0, 



A{Z\FE)p < £ + £-+iY/(2^,5-l) + 2^-^™(^|B)^+'°s(*+i) 
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Proof. We use Lemma [4] as in ([13 
For normalized /Ozfei we find 



to bound A{Z\FE)f, 



2A{Z\FE)p < j2^rc(ppzE|pF Pe) - 1 



< ^2^rc(/9xE|PE) + (2^5-1), 

where we used Lemma [5] as stated in pT)) . 

The smoothing of the above equation is achieved using 
the same arguments as in the proof of Theorem |9l How- 
ever, this time we need to include an additional smooth- 
ing parameter e > in order to be able to apply pT|) . 

Let G 'B^(pxe) be the CQ-state (cf. Lemma 
that optimizes the smooth min-entropy H^^^{X\E)p = 
i/,^i„(X|E)p and let pxE G S^(Pxe) be the CQ-state 
(cf. Lemma [3]) that satisfies 

rc(p-xElp-E) < 2-^n"»(^i^)^+'°s(^+i) 

^ 2-fin..„i^\^},+ioii{^+^) ^ (20) 

Then, pxE G B'^^'^IPxe) holds due to the triangle inequal- 
ity of the purified distance. Moreover, we define the state 
after randomness extraction, Pfze ■— (-4(8)Xe)(Pf <8i Pxe)- 
Following the arguments laid out in the proof of Theo- 
rem |6l we have 

A{Z\FE)p <e + e + A{Z\FE)p 



<e + e + -^/2^TaipxM + i^'S - 1) , 



This can be bounded using ([20| . which concludes the 
proof. □ 

The proof of the Leftover Hash Lemma stated in the 
introduction (Lemma [5]) follows when we set e = in 
Theorem [9] and Theorem [TOl To see this, note that the 
statements of two theorems can be expressed in terms of 
the distance from uniform averaged over the choice of / 
using (HID. 



IV. EXPLICIT CONSTRUCTIONS WITH 
SHORTER SEEDS 

Here, we combine known constructions of two- 
universal and 5-almost two-universal hash functions and 
discuss their use for randomness extraction with shorter 
random seeds. We consider a scenario where X is an n- 
bit string x £ {0, 1}^" and i? is a quantum system. The 
challenge is typically to optimize the following parame- 
ters: 

a) the error described by the distance from uniform, 
e := A{Z\FE), which should be small, 

b) the length of the extracted key, £, which one wants 
to make as large as possible (close to H^-^^^^(X\E)) 
and 



c) the length of the random seed, s := log | needed 
to choose /, which one wants to keep small. 

The latter point is important in practical implementa- 
tions of privacy amplification, for example in quantum 
key distribution (QKD), where the choice of / has to be 
communicated between two parties. 

We will first review the explicit constructions of {S- 
almost) two-universal hash functions used in this section. 
In [lil. Carter and Wegman proposed several construc- 
tions of two-universal function families, trying to mini- 
mize the size of J-. An example of a two-universal set of 
hash functions with = 2" is the set = {/a}ag{o,i}" 
consisting of elements 



{0,1}" 

X 



{0,1}^ 
a mod 2^ 



(21) 



where x-a denotes the multiplication in the field GF(2"). 
The fact that T is two-universal can be readily verified 
by considering the difference fa{x) — fa{x') = {x — x') ■ a 
mod 2^ and noting that the mapping a M' {x ~ x') ■ a is 
a bijection ii x — x' ^ Q. 

With (5-almost two-universal families, a larger value of 
5 typically allows for a smaller set F. This is nicely il- 
lustrated by the following well-known construction based 
on polynomials. Let F be an arbitrary field and let r be 
a positive integer. We define the family T = {fa}aew of 
functions 



/a 



{x\ , . . . , Xf ) 



F 



(22) 



Using the fact that a polynomial of degree r — 1 can only 
have r — 1 zeros, it is easy to verify that T is (5-almost 
two-universal, for 5 ~ {r — 1)/|F|. 

Another method to construct (5-almost two-universal 
families of hash functions is to concatenate two such fam- 
ilies. We will use the following lemma by Stinson (see 
Theorem 5.4 in [H). 

Lemma 8. Let T\ he Si-almost two-universal from 
{0,1}^" to {0,1}^*^ and let Ti he 8i-almost two- 
universal from {0,1}^'^ to {0,1}^^. Then, the family 
Q {f2 ° fi ■ fi ^ J'l; f2 ^ J'2} consisting of all con- 
catenated hash functions is (6i-\-S2)- almost two-universal. 

Combining the general results on (5-almost two- 
universal hashing of Section IIIII with the explicit con- 
structions described above, we obtain the following state- 
ments. 

If we do not care about s, we may choose a two- 
universal family of hash functions and recover a result 
by Renner [lOj : 

Theorem 9. There exists a family of hash functions 
from {0, 1}^" to {0, 1}'''^ satisfying 



s = n an 



d e < £ + iV2^--f^^i„(x|E)p foranye>0. 
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Proof. We apply Theorem |6] using the two-universal fam- 
ily constructed in (HH, which yields s — log {J^l — n. □ 

We now show that we can choose a family of hash 
functions such that s is proportional to the key length £ 
instead of the input string length n. 

Theorem 10. There exists a family of hash functions 
from {0, 1}^" to {0, 1}^^ satisfying 

s = 2[^-|-log(n/£) +log(l/£2) - IJ and 

e<3e-fi\/2^-^™(^l^)''+'°s(*+i) for any e > 0. 

Proof. We use the standard classical way of concatenat- 
ing two hash functions to obtain the required param- 
eters [l^l- For the first function, we set k ^ [£ + 
\og{n/e) -Hlog(l/£2)J and use the field F = GF(2'=) in 
the polynomial-based hash construction from (P^. In- 
terpreting the n-bit strings as r = ["-/fcl blocks of k bits, 
the first hash function maps from {0,1}^" to {0,1}^'^ 
and requires a fc-bit seed. Then, regular two-universal 
hashing from (|2ip with a seed length of again k bits is 
used to map from {0,1}'''' to {0,1}''^ The two seed 
lengths add up to s = 2k = 2[e + \og{n/£) + log(l/e2)J . 
Polynomial-based hashing achieves a 6i of at most 

r - 1 n 4 £ £^ Ae^ 
2^ - 'k¥ - k2^ - '¥' 

by the choice of r and the fact that k > £ + log(ri/^) -I- 
log(l/e^) — 2. Together with the 62 < 2~^ from the two- 
universal hashing, we get from Lemma |8] that this con- 
struction yields a. Si + 62 < — almost two-universal 
family of hash functions. Inserting this expression for 5 
into Theorem [7] and setting e = e yields 

e<2e + i72^-«^n,(X|E),+iog(^+i) ^ . 

The theorem then follows as an upper bound to this ex- 
pression. □ 
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Appendix A: Technical Results 

The first lemma is an application of Uhlmann's theo- 
rem 28] to the purified distance^^ (see [2^ for a proof). 



Lemma 11. Let p,T eS< {%), H' = H andip en<»n' 
be a purification of p. Then, there exists a purification 
iS €n®n' ofr with P{p, t) = P{ip, d) . 

Corollary 12. Let p,T e S<{n) and p e S<{n ® W) 
be an extension of p. Then, there exists an extension 
f €S<{1-L®'H') ofr with P{p, t) = P{p, f) . 

In the following, we apply this result to an e-ball of 
pure states, B^{p) := {p e B'^{p) : rankp = 1}. 

Corollary 13. Let p e S<{'H) and ip ^ U ® W be a 

purification of p. Then, 

B'{p) D{peS<(H):3 4'e B;{cp) s.t. p = tr„,<^} 

and equality holds if the Hilbert space dimensions satisfy 
dimH' > diniH. 

The following lemma establishes a fundamental prop- 
erty of pure bipartite states, namely that every linear op- 
erator applied to one subsystem has a dual on the other 
subsystem, such that the resulting pure state is the same. 

Lemma 14. Let (j)/^^ G 'P{'H ab) be pure, p^ — tre'/'AB, 
Pb — tr^ 0AB ojid let X £ £('Ha) be an operator with 
support and image in supplp^}. Then, 

(X®1b)|0)ab = (1a (»(Pb/'^^Pb AB, 

where the transpose is taken with regard to the Schmidt 
basis of 0AB • 

Proof. We introduce the Schmidt decomposition |0)ab = 

Ei VAIK)a®K)b- Clearly, (Ia^Pb '^') |'?i')AB = E^ I*)a'8) 
K)b =: |7)ab is the (unnormalized) fully entangled state 
on the support of p^ and pe- It is easy to verify that 
{X (g) 1b)|7)ab = (1a X'^)\-f)AB, where the transposed 
matrix is given by X'^ = Eij {i\X\j)A \j){i\B- □ 

Corollary 15. Let 0ab G 7'('Hab) be pure, p^ = tre 4'ab, 
Pb = trA 4'ab o,nd f : IR+ — > M a real-valued function, then 

(/(Pa) ® 1b) 10) ab = (1a ® /(Pb)) 10) ab . 

We define the notion of a dual projector with regard 
to a pure state using the following corollary: 

Corollary 16. Let |0)ab G Hab be pure, Pa — trB^AB, 
Pb = trA 0AB o,nd let IIa G V{'Ha) be a projector in 
supp{pa}. Then, there exists a dual projector IIb on 
"Hb such that 

(Ha ® Pb''") 10) ab = (pl'^' ® Hb) 10) ab ■ 

The next Lemma gives a bound on the purified distance 
of a state p and a projected state IIpII. 



The main advantage of the purified distance over the trace dis- 
tance is that we can always find extensions and purifications 



without increasing the distance. 
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Lemma 17. Let p £ 5<('H) and 11 a projector on %, 
then 



p(p,npn) < ^2tr(n-Lp)-tr(n-Lp)2, 

where 11^ = 1 — 11 is the complement o/II onH. 

Proof. The generalized fidelity between the two states 
can be bounded using tr(np) < tr(p). We have 

F{p, UpU) > tr(np) + l-trp=l - ti{U-^p) . 

The desired bound on the purified distance follows from 
its definition. □ 

We also need a Holder inequality for linear operators 
and unitarily invariant norms (see [29| for a proof). Here, 
we state a version for three operators and the trace norm: 

Lemma 18. Let A, B and C be linear operators and 
r,s,t > such that ^ + ^ + j — ^, then 

\\ABCh<\\\An,^\\\Bn,i\\\C\%\ 

The following lemma makes clear that the min-entropy 
smoothing of a state will not destroy its CQ structure. 

Lemma 19. Let be a CQ-state of the form pxe — 

J2x I^X^I ® Pb^'- Then, the state G 'B'^(Pxb) that op- 
timizes i/^;jj(X|B)p = _ffjjj;jj(X|B)p is of the same form. 

Proof. Let Pab be any state in B^{pxb)- We can estab- 
lish a CQ-state pxB by measuring A in the basis deter- 
mined by X. This operation will not increase the dis- 
tance P(pab,Pxb) (cf. i26il . Lemma 7) and not decrease 
the min-entropy (cf. [26|, Theorem 19). Thus, we can 
conclude that the optimal state is CQ. □ 



Appendix B: Alternative Entropic Quantities 

Here, we discuss two alternative entropic quantities, 
H^-^{A\B) and H^-^^^{A\B) and show that they are equiv- 
alent (up to terms in loge) to the smooth min-entropy 
and smooth max-entropy, respectively. Some of the tech- 
nical results of this appendix will be used to give a bound 
on the collision entropy in terms of the smooth min- 
entropy (cf . Appendix [C] and Lemma [3]) . 

First, note that conditional entropies can be defined 
in terms of relative entropies, as is well-known for the 
case of the von Neumann entropy. Let p^B be a bipar- 
tite quantum state. Then, the condtional von Neumann 
entropy of A given B is defined as 



7J(A|B) 



H{pAB 

-D{p, 



HiPu) 

1a «) Pb) 



min L)(pj^ 

crB6cS=(«B) 



(Bl) 
(B2) 



where we used Klein's inequality [l2|,|30| in the last step. 
The relative entropy is defined as D{p \\ r) := tr(p(log p — 
logr)) and H{p) -tr(plogp). 

We will now define the smooth min-entropy and an 
alternative to the smooth entropy as first introduced 
in [To| . The definition of two versions of the min-entropy 
is parallel to the case of the von Neumann entropy above; 
however, the two identities (jBip and (jB2[) now lead to 
different definitions. We follow [3l| and first introduce 
the max relative entropy. For two positive operators 
p S iS<(H) and T £ ViV.) we define 

i5max(p II t) := inf {A e M : p < 2V} . 

Definition 4. Let £ > and Pab G '5<('Hab)- The min- 
entropy and the alternative min-entropy of A conditioned 
on B are given by 

i/^i„(A|B)p = max -£'max(pAB || 1a (8) ctb) and 

crBe5=(«B) 
i/,nin(A|B)p := -i:'max(pAB || 1a ® Pb) , 

respectively. Furthermore, the smooth min-entropy and 
the alternative smooth min-entropy of A conditioned on 
B are defined as 



^^mi„(A|B)p 
^mi„(A|B)p 



- "l^? ,^^min(A|B)p and 

PABeB=(pAB) 

,-f^mi„(A|B)p. 

PAb£B' (pab) 



The smooth max- entropies can be defined as duals of 
the smooth min-entropies. 

Definition 5. Let e > and Pab € S<{Hab), then 
we define the smooth max-entropy and the alternative 
smooth max-entropy of A conditioned on B as 

i/^,x(A|B)p := -i/;;,i„(A|C)p and 

■ffmax(A|B)p := -i/^i„(A|C)p , 

where Pabc G '5<('Habc) is any purification of Pab- 

The max-entropies are well-defined since the min- 
entropies are invariant under local isometrics on the C 
system (cf. 26:] and Lemma lM)) and, thus, independent of 
the chosen purification. The non-smooth max-entropies 
-^max(A|B)p and H^^^^{A\B)p are defined as the limit 
e — ?> of the corresponding smooth quantities. The al- 
ternative max-entropy is discussed in Appendix |D1 where 
it is shown that (cf. also fs^j) 

^max(A|B)p = inax logtr (Hp^^ (1a ® (Tb)) , (B3) 

where Hp^^ is the projector onto the support of Pab- 
Furthermore, we find that 



^^5.ax(A|B) 



inf 



Ub'^Hb PAB-eB»(pABO 



min ^i7,„,,(A|B')p , (B4) 
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where the infimum is taken over ah embeddings Pab' of 
Pab into Ha Hb - In fact, it is sufficient to consider 
an embedding into a space of size dimT^B' — rankjpAB} • 
dim Ha- 

The first definition of the smooth max-entropy, 
H^-^^^^{A\B) , is used in H^iHE] and is found to have many 
interesting properties, e.g. it satisfies a data-processing 
inequality [26]. The alternative definition, H^^^{A\B), 
was first introduced in (lo| and is used to quantita- 
tively characterize various information theoretic tasks (cf. 
e.g. [31, 33, 34]). Here, we find that the two smooth min- 
entropies and the two smooth max-entropies are pairwise 
equivalent up to terms in loge. Namely, the following 
lemma holds: 

Lemma 20. Let e > 0, e' > and Pab G S={Hab), then 



H-^MB)p - logc < H'J: (AlB)p < H^^ 



(AJB) 



p ' 



where c = + 1/(1 - e')- 

The equivalence of the max-entropies follows by their 
definition as duals, i.e. we have 



^^max(AlB)p 



P — -"-"max 



(AJBV. 



For convenience of exposition, we introduce the gener- 
alized conditional min-entropy 

Vin(AlB)p|^ := -DmaxlPAB 1| 1a ® <7b) ■ 

The proof of Lemma [20l is based on the following result. 

Lemma 21. Let e > and Pabc G iS<('Habc) be pure. 
Then, there exists a projector Hac on Hac ^'^'^ ^ state 
Pabc — IIac Pabc IIac such that Pabc 

£ Bp{p ABc) and 
2 

Vin(AlB)p|p > iJ„i„(AlB)p - log -J . 



Furthermore, there exists a state Pab G S< {T-Lp 
satisfies Pab G ^'^(pab) o,nd 



KM^)p > ^^mi„(AlB)p - log (I 



that 



tr Pa 



Proof. The proof is structured as follows: First, we give 
a lower bound on the entropy h^^^^(A\B) in terms of 
iJjjjijj(A]B)p and a projector IIb that is the dual projector 
(cf. Corollay [HI) of IIac with regard to Pabc- We then 
find a lower bound on the purified distance between Pabc 
and Pabc in terms of IIb and define IIb (and, thus, IIac) 
such that this distance does not exceed e. 

Let A and CTb be the pair that optimizes the min- 
entropy H^.^{A\B)p, i.e. H^i^{A\B)p = h^i^{A\B)p\^ = 
— log A. We have Pb < Pb by definition of Pabc- Hence, 



.(AlB)pip 
2-h 



is finite and can be written as 

(A|B)p|p 



Pi 



1/2- -1/2 1 

PabPb 



where U^lJoo denotes the maximum eigenvalue of X . We 
bound this expression using the dual projector Hb of Hac 



with regard to Pabc and the fact that Pab < Al^ 
definition of A and Ch : 



)(Tb by 



rhs. 



trc((nAc Pb ) Pabc (Hac Pb )) 



IItt -V2 -V2rr 
IIbPb PabPb IIj: 



TT -V2 -V2tT 

HbPb CTbPb 11b 



< A ]]1 

= A|HBrBHB|oo, 

where, in the last step, we introduced the Hermitian op- 

-1/2 -1/2 

Pb ObPb 



erator 
sides leads to 



\ Taking the logarithm on both 



,(AlB)p|, > H^,^{A\B)p - log iHBFBnB 



(B5) 



We use LemmafTTlto bound the distance between Pa 
and Pabc, namely 



P(p 

ABC I Pabc 

) < ^2tr(H|^pABc) = ^2tr(H^pB), 

where the last equality can be verified using CoroUarv llGI 
Clearly, the optimal choice of Hb will cut off the largest 
eigenvalues of Fb in (|B5p while keeping the states Pabc 
and Pabc close. We thus define Pb to be the minimum 
rank projector onto the smallest eigenvalues of Fb such 
that tr(HBPB) > trpB — e^/2 or, equivalently, tr(HBPB) < 
e^/2. This definition immediately implies that Pabc and 
Pabc are e-close and it remains to find an upper bound 
on |HbFbHb|oo- 

Let Hb be the projector onto the largest remaining 
eigenvalue in HbFbHb and note that Hg and Hg commute 
with Fb- Then, 



IHbFbHbIoo =tr(H;,FB) = min 



tr(/^B(n^ + nB)rB 

tr(pB) 



where /Ib is minimized over all positive operators in 
the support of Hg + Hg. Fixing instead /Ib = (Hg + 
n;)pB(H^+H;,), wefind 



IHbFbHb 



< 



tr(FB/VBrB/^(n^ 



n;)) 



tr((H^+H^,)pB 



< 



tr(FB/VBrB/^) 
tr((H^+n'B)pB) - e2 



< 



In the last step we used that tr(pB''^FBPB''^) = tr(CTB) = 1 
and that tr((H^ -I- H^)pb) > ^ definition of H^. We 
have now established the first statement. 

To prove the second statement, we introduce an opera- 
tor Ab := Pb-Pb > 0. The state Pab = PAB+'i^A/dA'S)/S.B, 
where c^a = dim?^A, satisfies pB = Pb- We now show that 
the state Pab is e-close to Pab • The inequality Pab < Pab 
implies |VpI^^/pI^|i < \^/pI^JpI^\l and, thus. 



F{pab,Pab) > F{pab,Pab) + 1 - trpAB 
>F{p ABC I Pabc 

) + 1 - tr Pab 
= 1 - tr(Hf<,pAc) > 1 - 6^2 , 
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where we used the monotonicity of the fidehty F{p, r) := 
i-ypV^li under the partial trace. Thus, P{pab, Pab) < £• 
We use that — p^ and Pab < Pab + 1a/c?a ^ Pb to 
find a lower bound on H^^^{A\B)p = h^^^{A\B)p^p : 



^ — PB Pab Pb 



< 



-1/2- 

Pb Pab Pb 



< A- 



We have A > tr pAs/d^ (Lemma 20 in [2^) and, thus 
i7„,i„(A|B)p > i/„,i„(A|B), - log + 



This concludes the proof of the second statement. □ 

Furthermore, the alternative smooth min-entropy is a 
lower bound on the smooth min-cntropy by definition. 

Lemma 22. Let Pab G S<:{Hab), then 



7?„i„(A|B)p < i?„,i„(A|B)p - log 



tr Pa 



We are now ready to prove Lemma [201 Namely, we 
show that, for e > 0, e' > and Pab G 5<('Hab), it holds 
that 



if^i„(A|B)p - logc < H'J:'{A\B)p < (A|B)p , 

where c = + l/(trpAB - e')- 

Proof of Lemma[2U[ Let Pab G (Pab) be the state that 
maximizes H^^^{A\B)p. Clearly, trpAB > trpAB - e'- 
Moreover, Lemma [5T] and the triangle inequality of the 
purified distance imply that there exists a state Pab €E 
B^^^ (Pab) that satisfies 

H^.tiA\B)p > i?„,i„(A|B)p > ff^'i,(A|B), - logc, 

which concludes the proof of the first inequality. The 
second inequality follows by applying Lemma [H] to the 
state that maximizes H^^^^^ (A|B)p. □ 



Appendix C: Collision Entropy 

In this section, we prove Lemma |31 which gives a rela- 
tion between the collision entropy and the min-entropy. 
First, we provide an inequality in terms of relative en- 
tropies. 

Lemma 23. Let Pab G S<:{Hab) and E S=(Hb), then 

-Dmax(pAB II 1a (Tb) > logFclpABlcTB) - log tr Pab ■ 



Proof. By definition of the max relative entropy, we have 

Pab < 2^"'-(''ai'II^a^'"i')1a «) ctb and, thus, 

(1a ® ^B '/')Pab(1a ® O-'l') < 2^-='(pab||1a«5.b) _ 

We use this and the fact that tr(pABA) < tr(pABi^) if 
X < r to get 



rc(A|i?),|, < (''ABi|lA»^B)trp^3, 

which concludes the proof. 



□ 



Using the above result and Lemma [211 of Appendix [Bl 
we are ready to prove Lemma [3l of Section [Til 

Proof of Lemma\^ To prove the first statement, we ap- 
ply Lemma [231 to the state pxB ■ The inequality holds 
in particular for the state CTb that optimizes H^^^^^{X\B)p 
(cf. Definition [Ij) , establishing ([TUl) . 
Next, we use Lemma[^to define pxB G ;B^(pxb)- Thus, 



iI.„i„(X|B), > H„,i„(X|B)p - log (I ^ 



tr pxE 

In particular, we can choose pxB normalized and CQ.^'^ 
We apply Lemma [23l to this state to get 

rc(PxBlpB) < 2-^»in(^|B). < 2-^-n(X|B),+l0g(^ + l) ^ 

which concludes the proof of ([TT|) . □ 



Appendix D: Duality Relation for Alternative 
Smooth Entropies 

Here, we find that the alternative smooth min-entropy 
of A conditioned on B is invariant under local isometrics 
on the B system. Since all purifications are equivalent 
up to isometrics on the purifying system, this allows the 
definition of the alternative max-entropy as its dual (see 
Definition [5]) . Furthermore, the max-entropy of A condi- 
tioned on B is invariant under local isometrics on the B 
system as a direct consequence. Note that the alternative 
smooth min- and max-entropies are in general not invari- 
ant under isometrics on the A system, i.e. they depend 
on the dimension of the Hilbert space Ha- 

Lemma 24. Let e > and Pab S '5<('Hab)- Moreover, 
let U : Hb — > Ho be an isometry with Tao ■= (1a 
?7)Pab(1a«)C/^). Then, 

HLin{MB)p = i?f„i„(A|D). and 
HLM^)p = ^;^ax(A|D). . 



To see this, first note that the alternative min-entropy, 
_ffj^jjj(X|B)p, is independent of tr pxB- Moreover, measuring pxB 
on the X system will increase the alternative min-entropy while 
the distance to pxB can only decrease. 
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Proof. Let Pab G ^^(Pab) be the state that maximizes 
the alternative min-entropy of A conditioned on B and 
let A be defined with H^-^{A\B)p = - log A. Then p^B < 
AIa Pb, which implies 

(1a ® f/)/5AB(lA C/^) < AIa ® (UpbU^) . 



Hence, Tad < AIa (8) Td. Moreover, Tad G S^(tad) 
due to ©, which implies H^^JA\B)p > i?^i„(A|B)p. 
The same argument in reverse can be applied to get 

i?^in(A|B)p>ij;;,i„(A|D).. 

The invariance under isometry of the dual quantity 
follows by definition. Namely, let Pabe be any purification 
of Pab, then 



Lemma 26. Let e > and Pab € S<:{Hab), then 



i7„^,,(A|B)p - inf min i/^,JA|B')p : 

Hb'JKB pAB'eS^(PAB-) 



where Pab- is the embedding of Pab "into Hab - Fur- 
thermore, the infimum is attained for embeddings with 
dim^B' > dimsupp {pab} • dimHA- 
Proo/. Let Pabc be a purification of Pab on a Hilbert space 
Jic with dim "He — rankjpAB}- Furthermore, for any 
Hb' ^ Hb, let Pabc be the embedding of Pabc into Hab c 
with dim "He- — dim'HAB-- We use Corollary [13] twice to 
upper bound 



c(A|D). 



where Tade := (1a <8i C/ (g) 1e)pabe(1a 'E) W ® 1e) is a 
purification of Tad- 

Next, we derive expression (|B3I) for the alternative 
non-smooth and smooth max-entropies. The result for 
the non-smooth entropy was first shown in [3^ and an 
alternative proof is provided here for completeness. 

Lemma 25. Let Pab G S<{Hab), then 

-f^max(A|B)p = max logtr (npAB(lA ® CTb)) 

0"Be5=(WB) 



if„^,JA|B)p = -i/,^i„(A|C'), 



™V -■^^min(A|C')p 

PACeo^lPAC') 

<^ min i7,„,JA|B')p 

PAB'C-eOp(PAB'C') 

= . min i/^ax(A|B')p . 

PAB'ee={pAB-) 



A lower bound on _ffj'^3^^(A|B)p follows when we require 
that dimT^B- > rankjpAB} • dim "Ha — dimT^Ac- Then, 
"Kb- is large enough to accomodate all purifications of 
states in Hac- Using CoroUay [13] twice, we find 



Proof. Let Pabc be a purification of Pab- Then, 

(1ab(8'/3c'^'')/3abc (Iab^Pc'^^) has marginal Ta 
due to Lemma [T3] This allows us to write 



ABC 



II^bIc 



maxtr(crBrB) = maxtr (npAB(lA <8) ctb)) 



jy^,JA|B)p - ^ min -H^MG)p 

PAc£B' (ejpAC 

mill i/„,^^(A|B')p 

PAB'CeOplPAB-c) 

>_ inin i7„,,JA|B')p . 

PAB-eB^iPAB') 



where the maximization is over all CTb G 5=('Hb)- 



□ 



The alternative smooth max-entropy can be seen as an 
optimization of the non-smooth quantity over an e-ball of 
states, where the ball is embedded in a sufficiently large 
Hilbert space. We show that (|B4p holds. 



The infimum is therefore attained and it is sufficient to 
consider embeddings with dim'HB- = dimsupp{pAB} • 
dim -Ha. □ 
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